openSUSE Project Management Tool: Issueshttps://progress.opensuse.org/https://progress.opensuse.org/themes/openSUSE/favicon/favicon.ico?15829177842023-11-04T11:09:38ZopenSUSE Project Management Tool
Redmine QA - action #139097 (Resolved): Improve collaboration with Eng-Infra - Firewall management access...https://progress.opensuse.org/issues/1390972023-11-04T11:09:38Zokurzokurz@suse.com
<a name="Motivation"></a>
<h2 >Motivation<a href="#Motivation" class="wiki-anchor">¶</a></h2>
<p>SUSE-IT relies heavily on a new firewall configuration separating multiple zones, e.g. "QE" zones from other zones in R&D. In <a class="issue tracker-4 status-3 priority-5 priority-high3 closed child" title="action: Improve collaboration with Eng-Infra - Firewall management access, potentially also DHCP+DNS size:M (Resolved)" href="https://progress.opensuse.org/issues/125450">#125450</a> already some limited access to firewall logs was provided however in many cases that does not help us like in the recent migration of qam.suse.de to PRG2.</p>
<p>After the instance was moved to PRG2 gitlab runners could not reach qam.suse.de as visible in <a href="https://gitlab.suse.de/qa-maintenance/bot-ng/-/jobs/1956085" class="external">https://gitlab.suse.de/qa-maintenance/bot-ng/-/jobs/1956085</a> repeatedly</p>
<pre><code>urllib3.exceptions.MaxRetryError: HTTPConnectionPool(host='dashboard.qam.suse.de', port=80): Max retries exceeded with url: /api/incidents (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f2730240780>: Failed to establish a new connection: [Errno 110] Connection timed out',))
</code></pre>
<p>while this gitlab CI job was running I looked into the firewall logs that I have access to using<br>
qe-debug.suse.de as documented on <a href="https://wiki.suse.net/index.php/OpenQA#Firewall_between_different_SUSE_network_zones" class="external">https://wiki.suse.net/index.php/OpenQA#Firewall_between_different_SUSE_network_zones</a></p>
<pre><code>tail -f /var/log/remote/gw-infra-log.suse.de.log | grep '\(10.145.0.26\|2a07:de40:b203:8:10:145:0:26\)'
</code></pre>
<p>using the IPv4+IPv6 addresses of qam.suse.de which yields no results so this firewall command is either not correctly constructed or does not have access to the corresponding relevant data. As we are critically relying on whatever firewall is impacting all of our services we should ensure that there is enough redundancy in access.</p>
<a name="Acceptance-criteria"></a>
<h2 >Acceptance criteria<a href="#Acceptance-criteria" class="wiki-anchor">¶</a></h2>
<ul>
<li><strong>AC1:</strong> We can ensure that 2+ persons within EMEA timezones have access to firewalls covering multiple Nbg+Prg locations which actually affect us</li>
</ul>
<a name="Suggestions"></a>
<h2 >Suggestions<a href="#Suggestions" class="wiki-anchor">¶</a></h2>
<ul>
<li>Look into what was done in <a class="issue tracker-4 status-3 priority-5 priority-high3 closed child" title="action: Improve collaboration with Eng-Infra - Firewall management access, potentially also DHCP+DNS size:M (Resolved)" href="https://progress.opensuse.org/issues/125450">#125450</a> and <a href="https://sd.suse.com/servicedesk/customer/portal/1/SD-113832" class="external">https://sd.suse.com/servicedesk/customer/portal/1/SD-113832</a></li>
<li>Ask Eng-Infra who has access, why qe-debug.suse.de does not provide the relevant firewall denied messages and what to do to improve</li>
<li>Ensure whatever we come up with is properly documented and known within the SUSE QE Tools team</li>
</ul>
QA - action #125450 (Resolved): Improve collaboration with Eng-Infra - Firewall management access...https://progress.opensuse.org/issues/1254502023-03-06T12:30:04Zokurzokurz@suse.com
<a name="Motivation"></a>
<h2 >Motivation<a href="#Motivation" class="wiki-anchor">¶</a></h2>
<p>Apparently in many cases <a class="user active user-mention" href="https://progress.opensuse.org/users/15284">@rwawrig</a> can help best with issues spanning over multiple locations, e.g. firewall between NUE1 and NUE2, like in <a href="https://sd.suse.com/servicedesk/customer/portal/1/SD-113832" class="external">https://sd.suse.com/servicedesk/customer/portal/1/SD-113832</a> but the timezones diff is an obstacle. Give more people like SUSE QE Tools access to firewalls, even if it's just read-only for investigation?</p>
<a name="Acceptance-criteria"></a>
<h2 >Acceptance criteria<a href="#Acceptance-criteria" class="wiki-anchor">¶</a></h2>
<ul>
<li><strong>AC1:</strong> We can ensure that 2+ persons within EMEA timezones have access to firewalls covering multiple Nbg+Prg locations</li>
</ul>
<a name="Suggestions"></a>
<h2 >Suggestions<a href="#Suggestions" class="wiki-anchor">¶</a></h2>
<ul>
<li>See how in <a href="https://sd.suse.com/servicedesk/customer/portal/1/SD-113832" class="external">https://sd.suse.com/servicedesk/customer/portal/1/SD-113832</a> <a class="user active user-mention" href="https://progress.opensuse.org/users/15284">@rwawrig</a> could help but due to the significant timezones difference the reaction time is slow in both directions</li>
<li>Follow the discussion in <a href="https://sd.suse.com/servicedesk/customer/portal/1/SD-113959" class="external">https://sd.suse.com/servicedesk/customer/portal/1/SD-113959</a> regarding DHCP and apply the same solution for firewall if applicable, e.g. create a specific ticket with specific requirements and suggestions</li>
<li><em>Optional</em> also try to handle <a class="issue tracker-6 status-15 priority-4 priority-default child parent" title="coordination: [epic] Get management access to o3/osd and other QE related VMs (Blocked)" href="https://progress.opensuse.org/issues/121726">#121726</a> in the same ticket aka. "just get it done" :)</li>
</ul>